August 13th, 2003, 09:13 PM
Zone Alarm Woes -- a warning and question
(W2K/SP4, ZA 4.0.123.012)
Same reaction on two machines...
When running zone alarm, regardless of the zone that the target machine is in, when I attempt a TCP/IP intensive activity (Brutus, nmap, mulitple telnets, etc.) the system will become unresponsive. The mouse works and MAY be able to close some open windows, usually not. Task managler will activate (in the bottom tray -- but not as a window/GUI) and Start/shutdown just laughs at me (won't restart or shutdown). ZA will still be responsive, but trying to shut it down at this point results in a message about true-vector waiting to shutdown... then the screen stops refreshing...
Yes, all these tasks work fine without ZA running. ZA is fine with simple web browsing, or ftp sessions. But don't over-tax that ZA true-vector! My guess is chokes when too much traffic is tossed at it.
The only thing to do at this point is a hard boot.
Ideas? Similar things happen to you?
It MUST be a problem with ZA, because I remember in all my M$ training that the Windows kernel would NEVER allow such a thing to happen...
Is it my imagination, or is there a direct correlation to how much you spend on software, and the likelihood of it being crap?
August 13th, 2003, 09:39 PM
You are correct it is a problem with ZA. When you use a rapid packet program like Nmap, ZA is attempting to inspect each packet that is trying to pass through, and effectivly creating a DoS. If you open the task manager and then run nmap, you will see your processor spike to 100% and will stay there untill all packets are accepted/rejected.
Suggestion: Dump Zone alarm - It's crap.
August 13th, 2003, 09:43 PM
I've had dozens of problems since using ZoneAlarm - I initially installed/configured it because I was getting a broadband (DSL) connection so I'd be online for long periods of time. It totally stopped my network at first, because the security settings it chose stopped internal traffic (through NetBIOS), and it wouldn't usually let me access websites running on ports other than the default 80 in the range 1 - 1024 (e.g. port 83).
If you want a decent firewall, the best course of action is to disable/uninstall zonealarm and cough up for a hardware firewall. I have a D-LINK DSL-504 router with built-in 4 port switch, firewall, broadband modem and DHCP server. It was fairly easy to setup, runs 24/7 (and so protects the entire network, regardless of how many machines are actually switched on), rarely needs updating (although firmware updates can easily be downloaded/applied) and only cost me £100.
In the long run, a hardware firewall is probably cheaper than a software version, if you buy a dedicated box (by this I don't mean a full-blown computer, just a small box that sits on your desk and protects the entire network). They might not be quite as easy to configure (although mine has a decent web-based interface, with the option for a console to be plugged in directly) but when ZoneAlarm Pro costs $49.95 for a 1 year single license it's going to be a lot cheaper in the long run to buy a dedicated hardware box.
August 13th, 2003, 10:21 PM
I'm behind some good ACLs -- my most common use for ZA is to protect me from my "targets" (during pen testing) -- and to make sure I'm not spewing out anything I'm not suposed to be, well, spewing. ZA has a handy feature that will let me add my target list to a "trusted zone" for automated scans to go through (and back) un-molested.
I'm not familiar with Tiny, or Black Ice. Will they let me use a function like the zones settings?
Suggestions for ZA replacement?
I NEVER had this problem with previous versions...
So there IS an direct correlation between popularity-price-revision level and crapiness.
August 13th, 2003, 10:31 PM
I am currently using ZoneAlarm 4.0 and have no trouble connecting to servers at non default ports. An example is my mailserver, which has a webmail port of 8383.
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
August 14th, 2003, 05:44 AM
Have no problems with ZoneAlarm either. I'd say pwaring has it pretty good. Funny thing is the firewalls you run up against. Ya send out garbage then Zone Alram gets it back yeah some firewalls one can set a response to different packets. I'd say the problem is not really Zone Alarm but what your doing hidding behind a firewall. Sorry lots of flavors of firewalls and zone alarm is a light weight compaired against enterprise firewalls.
I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg
August 14th, 2003, 06:27 AM
It may not be related, but I have had similar problems with ZA, but only on one box running Me. Two other boxes running Me are fine
This box also does not close properly..............ZAs "vsmon" program causes a fault in kernel32.dll, or something like that.
I have tried disabling the "mailscan" feature, but this had no effect?
August 14th, 2003, 03:30 PM
ZoneAlarm doesn't have problems with me connecting to non-standards ports above 1024, but ones below that seem to cause problems (so 8383 or 8080 would be okay, but 83 wouldn't).
I have uninstalled it now anyway, my hardware firewall works much better and it protects my network even if some/all the computers are turned off.
August 14th, 2003, 06:08 PM
Software firewalls defeat their own purpose. A firewall is meant to be a seperate entity designed to keep bad traffic from getting to the internal network or machine. If your *software* firewall is on the machine it is protecting then the attack is already at the front door.
Not to mention it consumes precious resources on the computer/server it's *trying* to protect. Any good implimentation of a firewall will place it between the public interface and the local network. With NAT/Proxy and or a good IDS on the backend. The multi-layered approach is always best practice.
Next make sure you have a SOLID user awarness program in place before anything else. All it takes is 1 machine with netcat on it and your whole firewall scheme is hosed.
August 14th, 2003, 07:17 PM
pwaring zonealarms (or any other personal firewall) serve a diferent perpos then a external firewall, on the inbound port there is a lot of cross over, and that is where the external firewall is superior. its the out bound side of comunications that your personal firewall is usefull, it can allow/deny programs access to the network based on each individual program regardless of port. True some hardware firewalls cn do this but you drop a lot of cash for those, its nice to know that if you catch a trojan/virus you can deny itaccess to the web (or any other program that dosn't need web access. We use a distribute firewall (along with hardware firewalls) and amongst other uses this allows us to use an IM clone for interoffice comunications without allowing it to connect to the rest of the web.
A good security procedure is allways implamented in depth, firewalls are no diferent.
Who is more trustworthy then all of the gurus or Buddha’s?